Introduction

SSH is the most popular way to log in to a server remotely. It is a cryptographic protocol that protects your password against man-in-the-middle and replay attacks.

You must keep in mind, though, that SSH protects your data only while it is in transit. Attackers can discover your SSH password by other means, such as by using keyloggers or strategically placed cameras.

As long as you use a trusted computer (say, one that belongs to you or your company), and do so from a safe location, you don’t have to worry about such attacks. However, sometimes you might need to use a public computer. To protect your passwords in such scenarios, FreeBSD comes with a security feature called One-time Passwords In Everything, or OPIE.

In this tutorial, you will learn how to generate and use one-time passwords to log in to your remote FreeBSD server. You can pregenerate one or more one-time passwords when you’re in a safe location, and save them for later when you access your server from a less secure location. That way, even if your one-time password gets logged, it won’t ever be useful to an attacker.

Prerequisites

In order to follow this tutorial, you will need:

A FreeBSD 10.1 server which is accessible over SSH

A user who is allowed to switch to root; the default freebsd user on DigitalOcean is fine

A recent vulnerability has been found, affecting thousands of Linux and FreeBSD servers around the world. Norse encourages FreeBSD sysadmins to take proper measures to remedy this exploit. Check the whitepaper for more details.

Researchers have documented a newly discovered family of malware that infected thousands of Linux and FreeBSD servers, making them part of a massive spam distribution campaign.

The unusually sophisticated malware, dubbed Mumblehard, has two main components which are both written in Perl and leverage the same custom packer which is written in assembly language to produce ELF binaries that work to obfuscate the source code.

“Our analysis and research also shows a strong link between Mumblehard and Yellsoft. Yellsoft sells software, written in Perl, designed to send bulk e-mails. This program is called DirectMailer,” the researchers said.

“The first link between them is that the IP addresses used as C&C servers for both the backdoor and spamming components are located in the same range as the web server hosting yellsoft.net. The second link is that we have found pirated copies of DirectMailer online that actually silently install the Mumblehard backdoor when run. The pirated copies were also obfuscated by the same packer used by Mumblehard’s malicious components.”

The team discovered Mumblehard after a system administrator reported that a server had been blacklisted for sending spam, and they proceeded to dump the memory of a process that was connecting to different SMTP servers.

“The memory dump clearly showed it to be a Perl interpreter. We investigated and found the executable file in the /tmp directory. We started analyzing this ELF binary and discovered what we now call Mumblehard,” the researchers explained.

“We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat.”

Key findings in the analysis include:

Perl scripts were packed inside ELF binaries written in assembly language, showing a higher level of sophistication than average

A total of 8,867 unique IP addresses were seen in our sinkhole over a 7-month period

The highest number of unique IP addresses seen in a single day is as high as 3,292

Mumblehard has been active since at least 2009

Among the compromised machines, web servers are the most susceptible to being infected

There is a strong link between Mumblehard and Yellsoft, an online company selling software to send bulk e-mail messages

“Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes.” the researchers noted.

“The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.”

Introduction

The FreeBSD operating system utilizes the GENERIC kernel by default. This is a default configuration used to support a large variety of hardware out of the box. However, there are many different reasons for compiling a custom kernel, which include security, enhanced functionality, or better performance.

FreeBSD utilizes two branches of code for its operating system: stable and current. Stable is the current code release that is that is production ready. Current is the latest code release from the development team and has some of the latest bleeding edge features but is more prone to bugs and system instability. This guide will utilize the stable branch.

In this tutorial, we will recompile a FreeBSD kernel with a custom configuration.

Step 1 — Obtaining the Source Code

FreeBSD user asteriskRoss shows us how to get amd64 UEFI boot (with encrypted ZFS root) working in FreeBSD 10.1 using GELI.

Introduction
In this HOWTO, we’ll walk through installing FreeBSD 10.1-RELEASE as the sole operating system on a UEFI-enabled amd64/x86-64 PC to a single hard disk, with all except the /boot directory installed to a ZFS pool encrypted using geli(8).

The /boot directory will reside on an unencrypted UFS partition.

If you’re reading this for a later version of FreeBSD then it will probably work, but there may be a better and easier way of achieving the same goal. FreeBSD 10.1 was the latest release at time of writing.

PC manufacturers’ implementations of UEFI vary in quality. During the transition from legacy BIOS booting to UEFI, many manufacturers include a method of booting from both. This might be configurable or the firmware may decide which one to use based on the disk partitioning type (MBR or GPT) or presence of boot sector code. Even if your PC supports UEFI, implementation issues may prevent this method working for you.

The configuration described here is not compatible with the ZFS Boot Environment management utilities sysutils/beadm or manageBE, since both of these make assumptions about the filesystem layout that aren’t true here.

If you’re using an SSD, you should know that geli(8), which we are using here for encryption, doesn’t yet support TRIM, which will unfortunately have implications for your write performance.

A brief discussion on risk mitigation, disk encryption and GELI
This is not a HOWTO on different disk encryption techniques but you should understand what protection this configuration offers and what it doesn’t. When designing security, it is important to keep in mind whom you are defending against. In this configuration, I’m aiming to prevent someone reading my data if I lose the computer (all too common for laptops) or if it is stolen by a thief more interested in selling the hardware for cash than for any secrets on the hard disk. I am not looking to protect my data from espionage level attacks or from covert modification.

Encrypting information on a disk protects an attacker from accessing it “at rest”, that is, when the computer is powered off. It offers no protection at all against attacks while the computer is powered on and you have made that information available in its decrypted (plain text) form. This is true for all disk encryption. The configuration described here has further shortcomings. Secure Boot is disabled, the kernel and its modules are available in unencrypted form on the disk and I will be using GELI without enabling data authentication. This means that if someone sneaky wants to plant attack software on the machine, conduct an “evil maid” style attack or even modify the encrypted data so it decrypts to something different, they can and you won’t know about it.

If I had different requirements, I would consider putting my UEFI boot files and kernel on a removable disk that I kept with me, enabling data integrity verification for my GELI partition, encrypting with AES 256-bit keys rather than 128-bit, physically securing my PC and making it tamper evident, locking down the firmware configuration, rewriting the UEFI bootloader to support Secure Boot, using a PC with a TPM chip, reviewing the FreeBSD source code, never connecting my computer to the Internet, installing an alarm system in my office, training an attack dog to guard my computer… you get the idea. You can hire me for security consultancy or attack dog training at competitive rates but for now, let’s get on with the show.

Despite its age, it still pops up in places you wouldn’t expect. If you use an Apple device, chat on WhatsApp or watch a movie on Netflix, you’re interacting with FreeBSD. Here we take a look at this Unix-like operating system.

History

FreeBSD has its roots in the original BSD version of Unix that was first created in 1977 by Bill Joy, who would later co-found Sun Microsystems. We’ve covered the history of BSD in general in detail in another article.

FreeBSD, as well as all the other major BSD variants, including NetBSD, are descended from 386BSD, the first BSD version to run on PC hardware. For various reasons William Jolitz, the creator of 386BSD, stalled on the project. Other groups stepped in with their own modifications, known as “patchkits.” The group that would become FreeBSD was one of them.

A lawsuit by AT&T asserting copyright over the BSD code distracted the community, but the terms were worked out and FreeBSD moved to the BSD 4.4 “Lite” codebase that had no AT&T code in version 2.0.

FreeBSD got a lot of attention in the ’90s, being used to run a number of ISPs and websites. Yahoo was a notable user. The current version of FreeBSD is 10, and it’s still going strong, even as the computer world has changed.

Features

It was back in February that Microsoft open-sourced CoreCLR, the execution engine of the core .NET stack. Besides coming to Linux and other platforms, this MIT-licensed engine has now been ported and is working for FreeBSD.

As of this week the CoreCLR code can now produce a working build on FreeBSD and are setting up FreeBSD as part of their continuous integration infrastructure to ensure the FreeBSD support remains in top condition moving forward.

FreeBSD user KENNETH ENZ shows us how to get FreeBSD 10.1 set up as a domain controller.

Getting FreeBSD and Samba configured to function as a domain controller similar to Active Directory is a straightforward process. After installation & configuration of the server, a Windows 8.1 machine is added to the newly created domain.

I’ve had a ownCloud installation running for a good year or so on my unRAID server. As for ownCloud itself, I’ve been very happy with it. Managing non-unRAID things on unRAID though… not so fun. With that said, I’ve decided to move my installation to a FreeBSD 10.1 based system running on a Mac Mini. This box already services some minor things such as Murmur for our World of Warcraft guild The ORLY Factor, Git, etc. but is nearly idle most of the time.

Jail It!

A great feature of FreeBSD is jails. With a jail you can isolate an environment from the rest of the system such that if it comprimised, the rest of the system is not. Installations do not much with each other as well. All great stuff — lets put ownCloud in a jail!

ezjail

For jail management I choose ezjail. This makes working with jails… er, a bit eaezsier.

Install & Prepare ezjail

I did not have ezjail already installed. Below are the steps I took to get ezjail installed and prepped on the system:

This is a tutorial which shows how to dual boot Linux and PC-BSD 10. PC-BSD 10 uses ZFS as the file system and grub for the boot manager. I was able to successfully dual boot PC-BSD and CrunchBang Linux in my laptop.

I was able to achieve this after lots of trial and error methods. I have not found a valid guide in the internet to do it. All the tutorials were outdated or at least not working for me. I have spend a lot of time in the pc-bsd/freebsd irc channels and finally able to achieve this after trying out different suggestions from the irc members. Thanks to them all for the guidance.

If you want to dual boot PC-BSD, first install the Linux os (in this case, CrunchBang Linux) and then install PC-BSD 10. This is because most of the Linux OS won’t be able to detect ZFS (the default file system in PC-BSD 10). But PC-BSD grub will be able to detect EXT4 the default file system in most of the Linux distros. If you are looking for a tutorial for PC-BSD with UFS and Linux, you can find lot of guides in the interwebs. My guide only applies to PC-BSD with ZFS file system.

1. Install Crunch Bang Linux
2. Copy the relevant part from the Crunch Bang Linux grub menu. You can get it from the configuration file /boot/grub/grub.cfg . There will be lot of unwanted details in this menu but we will only need the one starts after the line “### BEGIN /etc/grub.d/10_linux ###” in this file .

For example, below given is the relevant part from my Crunch Bang Linux grub configuration :